Do you have a Central Quarantine server set up? If not, this may be something you want to do. If you haven't looked into it, what this server does is accept all quarantined files and will submit samples of infected files to Symantec if no definitions exist for the infected file.
Anyway, I think it is best to completely wipe and re-image any infected machines with a virus of this type. _________________________ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net <http://www.iagr.net> Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Monday, November 22, 2004 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] virus/worm I run a virus scan in safe mode and its hit or miss if Symantec gets it. So i end up maually deleting the files and reg keys. Typically the files are found in system32 and sometimes in the default user profile. my IT manager is looking into the "Cisco self defending networks" solution which I'm pretty sure is big $$$. I'm trying to find something cheaper. Like using existing tools- AD GPO's,Symantec continous live update,scripting,locking down desktops,etc. What do you think? and has anyone had experience with the Cisco solution? thanks -----Original Message----- From: ASB [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Wait until your bosses machine gets infected. Maybe that's what it will take to get the policy changed. And you should try using another AV product if the current one is not keeping your systems cleaned from known viruses. How are you cleaning them when you find them? (read: are you sure you're actually cleaning them?) -ASB On Mon, 22 Nov 2004 15:27:58 -0500, Kern, Tom <[EMAIL PROTECTED]> wrote: > Hi all. I am having a serious issue with bot type worms that keep infecting > my machines over and over. It doesn't matter that I'm fully patched and my > virus defs are up to date. > I use Symantec Corporate Edition 9.0 in a win2k mixed mode AD enviroment. My > machines all have the most up to date patches and hot fixes. > I have seen machines that are up to date in everything get reinfected time > and time again. The worm is a varient of what Symantec calls Spybot.worm32. > It usually creates a exe in system32 called Explorer.exe or 386.exe or > svchosting.exe and no matter the defs it slips by Symantec. > > This is a posting perhaps better sent to a virus or Symantec list,but you > guys seem really knowldgeable and I'd like to pick your collective brains > about how to deal with this issue. > I assume its getting in via laptop users wh take their pc's home at nite or > some of our traveling sales guys,but if my desktops are up to date and > patched,they should'nt get infected. > No? > Am I being naive? > > Finally,we are a liqour distributor and alot of times we have suppliers from > other companies come in with laptops that give powerpoint presentations and > access our internet connection. These guys are from elsewhere so they don't > have accounts in our domain and thus log in locally. > How can i protect myself against these guys? Management insits they be > allowed to do their thing with their laptops on our network when they come in > and since they don't log into our domain,I can't even push out a GPO and I'm > at the mercy of these guys and what hteir IT dept did or did not do. > Help! > > Thanks alot. If I can get a solution to just one of these 2 questions,I'll be > a happy man. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
